b"Federal Communications Commission\n     Office of Inspector General\n\n\n\n\n  FY 2002 Government Information Security\n Reform Act (GISRA) Independent Evaluation\n\n\n               September 16, 2002\n\x0c                     TABLE OF CONTENTS\n\n                                                                Page\n\n\nEXECUTIVE SUMMARY                                                 2\n\n\nBACKGROUND                                                        2\n\n\nOBJECTIVE                                                         2\n\n\nSCOPE                                                             3\n\n\nRESULTS OF FISCAL YEAR 2002 INDEPENDENT EVALUATION                5\n\n\nAPPENDIX A          OIG Responses to OMB M-02-09 GISRA\n                    Reporting Questions                         A-1\n\nAPPENDIX B          Report on Automated Auction System (Audit   B-1\n                    Report No. 02-AUD-02-08)\n\n\n\n\n                                                                  1\n\x0c                                EXECUTIVE SUMMARY\n\n\n\nBackground\n\nThe Government Information Security Reform Act (\xe2\x80\x9cGISRA\xe2\x80\x9d or \xe2\x80\x9cthe Security Act\xe2\x80\x9d) was\nsigned into law as part of the Fiscal Year (FY) 2001 Defense Authorization Act (Public\nLaw 106-398). The Security Act amended the Paper Reduction Act of 1995 by adding a\nnew subchapter on information security. The Security Act, which became effective on\nNovember 30, 2000, applies to all Federal agencies.\n\nA key provision of the Security Act requires that the agency Office of Inspector General\n(IG), or independent evaluators designated by the IG, perform an annual evaluation of the\nagency\xe2\x80\x99s information security program and practices. The Federal Communications\nCommission\xe2\x80\x99s (\xe2\x80\x9cthe Commission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) IG engaged KPMG, LLP to conduct the\nindependent evaluation of the FCC\xe2\x80\x99s information security program and practices for FY\n2002.\n\nThe purpose of the evaluation was to review the Commission\xe2\x80\x99s security program\nincluding, but not limited to, security policies, security architecture, business continuity,\nsecurity capital planning, critical infrastructure, and security program planning and\nmanagement.\n\nUsing the National Institute of Standards and Technology (NIST) \xe2\x80\x9cSelf-Assessment\nGuide for Information Technology Systems (Self-Assessment Guide)\xe2\x80\x9d as a basis for our\nmethodology, our objective was to evaluate the effectiveness of the Commission\xe2\x80\x99s\ninformation security program by assessing the risk for each component of the program.\nAs applicable, additional guidance was received from the methodology provided in the\nFederal Information System Control Audit Manual (FISCAM), as well as other laws and\ndirectives related to management and protection of Federal information resources.\n\nThe Office of Management and Budget\xe2\x80\x99s (OMB) Memoranda M-01-08, entitled\n\xe2\x80\x9cGuidance on Implementing the Government Information Security Act\xe2\x80\x9d and M-02-09,\nentitled \xe2\x80\x9cReporting Instructions for the Government Information Security Reform Act\nand Updated Guidance on Security Plans of Action\xe2\x80\x9d were followed to perform and report\nthe results of the independent evaluation.\n\n\nEvaluation Objective\n\nOur objective was to evaluate the effectiveness of the Commission\xe2\x80\x99s information security\nprogram by assessing the risk for each component of the program. The evaluation\nencompassed a review of the Commission\xe2\x80\x99s security program including security policies,\nsecurity architecture, business continuity, security capital planning, critical infrastructure,\nand security program planning and management.\n\n\n\n                                                                                                2\n\x0cThe specific objectives of this review were as follows:\n\n   1. Obtain an understanding of the Commission\xe2\x80\x99s Information Technology (IT)\n      infrastructure.\n\n   2. Obtain an understanding of the Commission\xe2\x80\x99s information security program and\n      practices.\n\n   3. Use the GISRA security assessment (i.e. NIST Self-Assessment Guide and\n      FISCAM) tools to evaluate the effectiveness of the Commission\xe2\x80\x99s information\n      security program and assess risk for each component of the program. At a\n      minimum, the assessment was required to include an identification and ranking of\n      the critical IS threats to the FCC IT infrastructure on a risk vulnerability basis.\n\n   4. Prepare the annual submission in accordance with the OMB reporting\n      requirements mandated under GISRA for FY 2002. In addition to preparing the\n      annual submission, the contractor was required to provide a detailed report that\n      (1) identifies and ranks the critical security risk factors and (2) contains\n      observations and recommendations for improvements, if any.\n\n   5. Follow-up on the findings of the Fiscal Year 2001 GISRA review that are\n      documented in OIG report number, 01-AUD-11-43 and entitled Report on\n      Government Information Security Reform Act Evaluation - Findings and\n      Recommendations, issued November 29, 2001.\n\n\nEvaluation Scope\n\nThe scope of our independent evaluation included the security infrastructure managed by\nthe Office of Managing Director\xe2\x80\x99s Information Technology Center (ITC) and the\nAuctions Automation Branch of the Commission\xe2\x80\x99s Wireless Telecommunications Bureau\n(WTB). The Security Act also requires that agencies select an appropriate subset of\nbusiness applications for review. Our audit of the Automated Auction System, follow-up\naudit of computer control conditions at the FCC\xe2\x80\x99s Consumer Center, and audit of\nAuctions physical security controls satisfy this requirement. The conclusions of these\naudits are being included with the results of our independent evaluation of the\nCommission\xe2\x80\x99s information security program and practices.\n\nThe evaluation encompassed a review of the Commission\xe2\x80\x99s security program including,\nbut not limited to, security policies, security architecture, business continuity, security\ncapital planning, critical infrastructure, and security program planning and management.\nDuring our evaluation we reviewed documentation provided by the Commission,\nreviewed previously performed special reviews and audits, conducted interviews of\nAgency staff, and performed other activities of inquiry and observation.\n\n\n\n                                                                                              3\n\x0cOur procedures were designed to comply with applicable auditing standards and\nguidelines, specifically the Generally Accepted Government Auditing Standards\n(GAGAS).\n\nThe evaluation methodology used was the National Institute of Standards and\nTechnology (NIST) \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-\nAssessment Guide)\xe2\x80\x9d. As applicable, the methodology prescribed by the Federal\nInformation Security Control Audit Manual (FISCAM) was used to assess management,\noperational, and technical controls during our risk assessment, as well as the following\nlaws and directives related to management and protection of Federal information\nresources:\n\n   \xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure\n       Protection.\xe2\x80\x9d\n   \xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP)\xe2\x80\x9d.\n   \xc2\x84   OMB Circular A-130, entitled \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d\n       as revised on November 30, 2000.\n   \xc2\x84   OMB M-01-08, entitled \xe2\x80\x9cGuidance on Implementing the Government Information\n       Security Reform Act,\xe2\x80\x9d dated January 16, 2001.\n   \xc2\x84   OMB M-97-16, entitled \xe2\x80\x9cInformation Technology Architectures.\xe2\x80\x9d\n   \xc2\x84   OMB M-97-02, entitled \xe2\x80\x9cFunding Information Systems Investments.\xe2\x80\x9d\n   \xc2\x84   The Computer Security Act of 1987 (PL 100-235).\n   \xc2\x84   OMB M-01-24, entitled \xe2\x80\x9cReporting on the Government Information Security\n       Reform Act,\xe2\x80\x9d dated June 22, 2001\n   \xc2\x84   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n\nOur observations have been organized according to the NIST control areas of\nmanagement controls, operational controls, and technical controls. The control areas are\ndefined below and the specific control techniques addressed by each are outlined.\n\n   Management Controls \xe2\x80\x93 Management controls focus on the management of the IT\n   security system and the management of risk for a system. They are techniques and\n   concerns that are normally addressed by management. The specific management\n   control objectives addressed were:\n\n       \xc2\x84   Risk Management\n       \xc2\x84   Review of Security Controls\n       \xc2\x84   Life Cycle\n       \xc2\x84   Authorize Processing (Certification and Accreditation)\n       \xc2\x84   System Security Plan\n\n   Operational Controls \xe2\x80\x93 Operational controls address security methods focusing on\n   mechanisms primarily implemented and executed by people (as opposed to systems).\n   These controls are put in place to improve the security of a particular system (or\n   group of systems). They often require technical or specialized expertise and often\n\n\n\n                                                                                           4\n\x0c   rely upon management activities as well as technical controls. The specific\n   operational control objectives addressed are:\n\n       \xc2\x84   Personnel Security\n       \xc2\x84   Physical and Environmental Protection\n       \xc2\x84   Production, Input/Output Controls\n       \xc2\x84   Contingency Planning\n       \xc2\x84   Hardware and System Software Maintenance\n       \xc2\x84   Data Integrity\n       \xc2\x84   Documentation\n       \xc2\x84   Security Awareness, Training and Education\n       \xc2\x84   Incident Response Capability\n\n   Technical Controls - Technical controls focus on security controls that the computer\n   system executes. The controls can provide automated protection for unauthorized\n   access or misuse, facilitate detection of security violations, and support security\n   requirements for applications and data. The specific technical operational control\n   objectives addressed are:\n\n       \xc2\x84   Identification and Authentication\n       \xc2\x84   Audit Trails\n       \xc2\x84   Logical Access Controls\n\n\nResults of Fiscal Year 2002 Independent Evaluation\n\nWe have concluded that the Federal Communications Commission is dedicated to\nimplementing and maintaining effective security control measures throughout the agency.\nOur independent evaluation for the current fiscal year and audit/follow-up audits of the\nAutomated Auction System, Consumer Center, and Auctions Physical Security yielded\nseveral positive observations relative to the Commission\xe2\x80\x99s information security program\nand practices.\n\nDuring the prior year\xe2\x80\x99s independent evaluation, security deficiencies were reported and\nrecommendations for improvement made to the agency. The Commission developed and\nhas reported on a quarterly basis its plan of actions and milestones (POA&M) for each\nfinding, as required by OMB M-01-24, \xe2\x80\x9cReporting Instructions for the Government\nInformation Security Reform Act\xe2\x80\x9d. As indicated in the POA&Ms issued to OMB, FCC\nmanagement is effectively monitoring and tracking the progress of the corrective actions\nplanned for each of the prior year\xe2\x80\x99s findings. We identified that several of the FY 2001\nfindings have been corrected and that corrective action has been defined and/or enacted\nfor all others.\n\nThe FCC\xe2\x80\x99s IT Strategic Plan was published in June of 2002. The plan outlines the near\nand long-term directions for the agency\xe2\x80\x99s IT architecture and program. It also sets forth\ngoals which reflect the core mission and values of the IT program as well as the agency\xe2\x80\x99s\n\n\n\n                                                                                          5\n\x0ccore strategy goals of Broadband, Spectrum, Media, Homeland Security, Competition,\nand Modernizing the FCC. The agency is also in the process of developing a Computer\nSecurity Strategic Plan which will address management, operational, and technical\ncontrols, physical protection of information resources, and future computer security needs\nof the Commission.\n\nDuring the reporting year, ITC, in a joint effort with system owners, completed security\nplans for sixteen (16) of its seventeen (17) major applications and general support\nsystems, including the Automated Auction System, and the Auctions Network general\nsupport system. A security plan was also developed for the FCC\xe2\x80\x99s Consumer Center.\nOur review of the plans indicates that they incorporate elements recommended by OMB\nCircular A-130. Each security plan also includes newly developed Rules of Behavior for\napplication users to execute. Additionally, Security Tests and Evaluations (ST&E) were\ncompleted for eleven (11) of the FCC\xe2\x80\x99s fifteen (15) major applications, including the\nAutomated Auction System. Control weaknesses identified during the evaluations have\nbeen communicated to system owners for resolution prior to granting final certifications\nand accreditations.\n\nThe FCC has recently completed a number of Computer Security Desk Reference Guides\nthat provide technical procedures for system administrators and developers as guides on\nimplementing the information security program and practices. These include the Security\nGuide for UNIX System Development and Administration, Identification and\nAuthentication on FCC Computer Systems, Security Guide for Application and System\nManagement Guide, Computer Incident Handling Guide, and the Computer Incident\nResponse Team Guide.\n\nThe Commission\xe2\x80\x99s IT Contingency Plan is being drafted. The plan will address\nresumption and continuity of services at the FCC\xe2\x80\x99s Portals I location, as well as the\nConsumer Center in Gettysburg, PA, which has been designated as the agency\xe2\x80\x99s hotsite.\nThe approach has been to involve business process owners from the various bureaus as\nwell as ITC and Consumer Center staff. Once the draft is completed, the IT Contingency\nPlan will be tested, finalized, and integrated with the Facility Contingency Plan to\ncomprise an overall agency plan for continuity of services.\n\nThe Computer Security Office continues to proactively promote awareness of\ninformation security at all levels of the agency. Numerous security briefings were held\nthroughout the year to educate program and bureau officials on information security\nissues. Additionally, ITC has established the Computer Security Program repository on\nthe Commission\xe2\x80\x99s Intranet where FCC policies, procedures, bulletins, and alerts on\nprotecting agency\xe2\x80\x99s computer resources are easily accessible to ITC staff and customers\nat the Portals I and Consumer Center locations.\n\nWhile the Commission has implemented numerous positive controls over its computer\nresources, we identified areas of improvement for management, operational, and\ntechnical controls. Implementing corrective areas for identified weaknesses will increase\nthe effectiveness of the agency\xe2\x80\x99s information security program and practices. As\n\n\n\n                                                                                          6\n\x0cprescribed by OMB M-02-09, \xe2\x80\x9cReporting Instructions for the Government Information\nSecurity Reform Act and Updated Guidance on Security Plans of Action\xe2\x80\x9d, a plan of\naction for each finding identified during the FY 2002 independent evaluation, including\nmilestones and completion dates, should be developed by the agency. The plans should\nidentify the corrective actions that the agency intends to take to address control areas that\nneed strengthening and identify any obstacles which may impede correction of\ndeficiencies noted.\n\nThe final report of detailed findings and recommendations resulting from the FY2002\nGISRA independent evaluation is expected to be completed and issued by November 30,\n2002.\n\n\n\n\n                                                                                            7\n\x0c                    APPENDIX A\n\n\n\n\nFY 2002 Government Information Security Reform Act\n         (GISRA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n Responses to OMB M-02-09 GISRA Reporting Questions\n\x0cThe Office of Management and Budget (OMB) issued memorandum M-02-09 on July 2,\n2002 as guidance to agencies on reporting the results of Fiscal Year (FY) 2002\nindependent evaluations performed in accordance with the Government Information\nSecurity Reform Act (\xe2\x80\x9cGISRA\xe2\x80\x9d or \xe2\x80\x9cthe Security Act\xe2\x80\x9d). Included with the memorandum\nwere questions regarding high-level management performance measures that were to be\naddressed by Agency Heads, Agency Program Officials, and Offices of Inspector General\n(IG). To that end, the Federal Communications Commission\xe2\x80\x99s (\xe2\x80\x9cFCC\xe2\x80\x9d or\n\xe2\x80\x9cCommission\xe2\x80\x9d) IG, in this appendix to our report, is providing its responses to the\nthirteen (13) questions regarding performance measures.\n\nThe IG has based its responses on questions related to the Commission\xe2\x80\x99s information\nsecurity program and practices on our FY 2002 independent evaluation. Other questions,\nnot necessarily specific to the agency\xe2\x80\x99s information security program and practices, were\naddressed by obtaining information from the Commission\xe2\x80\x99s Information Technology\nCenter (ITC) who worked with the appropriate agency offices to prepare responses.\nThese questions, which were outside the scope of our independent evaluation, have not\nbeen validated by the IG. We have re-stated each question posed by OMB and provided\nour responses directly after each question.\n\n\nI. General Overview\n\n   1. OMB Question:\n      Identify the agency\xe2\x80\x99s total security funding as found in the agency\xe2\x80\x99s FY02 budget\n      request, FY02 budget enacted, and the President\xe2\x80\x99s FY03 budget. This should\n      include a breakdown of security costs by each major operating division or bureau\n      and include critical infrastructure protection costs that apply to the protection of\n      government operations and assets. Do not include funding for critical\n      infrastructure protection pertaining to lead agency responsibilities such as\n      outreach to industry and the public.\n\n      FCC-IG Response:\n      Per instructions issued by the Office of Management and Budget (OMB), the\n      Office of Inspector General (IG) is not required to address this question.\n\n\n   2. OMB Question:\n      Identify and describe as necessary the total number of programs and systems in the\n      agency, the total number of systems and programs reviewed by the program\n      officials, CIOs, or IGs in both last year\xe2\x80\x99s report (FY01) and this year\xe2\x80\x99s report\n      (FY02) according to the format provided below. Agencies should specify whether\n      they used the NIST self-assessment guide or an agency developed methodology. If\n      the latter was used, confirm that all elements of the NIST guide were addressed.\n\n\n\n\n                                                                                      A-1\n\x0c    FCC-IG Response:\n\n                                             FY01                          FY02\n    a. Total number of                        1                             1\n    agency programs.\n    b. Total number of                         17                            17\n    agency systems.\n    c. Total number of                          1                             1\n    programs reviewed.\n    d. Total number of                         17                           17\n    systems reviewed.              In FY01, the IG               In FY02, the IG\n                                   conducted a review of         conducted a FISCAM-\n                                   one (1) major                 based review, which\n                                   application, the              incorporated guidance\n                                   Consolidated Database         from NIST, FIPS and\n                                   System (CDBS). FCC\xe2\x80\x99s          other federal guidance\n                                   Information Technology        on one (1) major\n                                   Center (ITC) assessed         application, the\n                                   general support systems       Automated Auctions\n                                   and major applications        System. ITC performed\n                                   through a combination         risk assessments in\n                                   of a system-wide risk         accordance with NIST\n                                   analysis, a penetration       800-26 on all major\n                                   test, development of          applications and general\n                                   security plans, and           support systems.\n                                   security test and\n                                   evaluations on several\n                                   major applications.\n\n\n3. OMB Question:\n   Identify all material weakness in policies, procedures, or practices as identified\n   and required to be reported under existing law. (Section 3534(c)(1)-(2) of the\n   Security Act.) Identify the number of reported material weaknesses for FY 01 and\n   FY 02, and the number of repeat weaknesses in FY02.\n\n   FCC-IG Response:\n\n                                                                      FY01        FY02\n     a. Number of material weaknesses reported.                         5           5\n     b. Number of material weaknesses repeated in FY02.                             5\n    Sources: Report on the Federal Communications Commission Fiscal Year 2000 Financial\n    Statement Audit, June 25, 2001. Report on the Federal Communications Commission Fiscal\n    Year 2001 Financial Statement Audit, April 30, 2002.\n\n\n\n\n                                                                                         A-2\n\x0cII. Responsibilities of Agency Head\n\n1. OMB Question:\n   Identify and describe any specific steps taken by the agency head to clearly and\n   unambiguously set forth the Security Act\xe2\x80\x99s responsibilities and authorities for the\n   agency CIO and program officials. Specifically how are such steps implemented and\n   enforced? Can a major operating component of the agency make an IT investment\n   decision without review by and concurrence of the agency CIO?\n\n   FCC-IG Response:\n   The FCC Chairman has specifically directed the agency Chief Information Officer\n   (CIO) and Computer Security Officer (CSO) to act as the single points of contact for\n   implementing the Security Act provisions and assessing compliance at all levels of\n   the agency. While program officials are responsible for specific missions within the\n   Bureau or Office, the CIO has been directed to centrally manage IT security for the\n   agency. This mandate has been implemented through the assignment of a CSO and\n   the development of a Computer Security Strategic Plan that when completed will be\n   integrated with IT Strategic Plan. ITC has indicated that investments are required to\n   be reviewed by, and concurred with by the agency CIO. On September 10, 2002,\n   FCC-IG began an audit of the Commission\xe2\x80\x99s IT capital investment program and\n   practices, which will, among other things, verify whether a major operating\n   component can make IT investment decisions without the review and concurrence of\n   the CIO.\n\n\n2. OMB Question:\n   How does the head of the agency ensure that the agency\xe2\x80\x99s information security plan\n   is practiced throughout the life cycle of each agency system? (Sections\n   3533(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the Security Act.)\n   During the reporting period, did the agency head take any specific and direct actions\n   to oversee the performance of 1) agency program officials and 2) the CIO to verify\n   that such officials are ensuring that security plans are up-to-date and practiced\n   throughout the lifecycle of each system?\n\n   FCC-IG Response:\n   On November 8, 2000, the CIO and IG completed a collaborative effort that\n   established policy and procedures for development of IT systems over the complete\n   life cycle. The FCC Systems Development Life Cycle (SDLC) provides specific\n   activities and tasks that must be followed in managing medium to large-scale\n   systems. The system security plan development process was modified to specifically\n   identify the security controls and processes to be addressed at each stage of the\n   SDLC.\n\n\n\n\n                                                                                    A-3\n\x0c     The IG is planning to conduct an audit of the SDLC policy to evaluate the\n     implementation and adoption of the policy and its required procedures. In FY 2002,\n     ITC conducted a review of the SDLC process as part of NIST\xe2\x80\x99s Self-Assessment\n     Guide (SP 800-26) to ensure that the agency is looking at security controls during the\n     appropriate life-cycle phase. Adjustments were made to the process and the changes\n     were promulgated throughout the agency.\n\n\n\n3.   OMB Question:\n     How has the agency integrated its information and information technology security\n     program with its critical infrastructure protection responsibilities, and other security\n     programs (e.g., continuity of operations, and physical and operational security)?\n     (Sections 3534 (a)(1)(B) and (b)(1) of the Security Act.) Does the agency have\n     separate staffs devoted to other security programs, are such programs under the\n     authority of different agency officials, if so what specific efforts have been taken by\n     the agency head or other officials to eliminate unnecessary duplication of overhead\n     costs and ensure that policies and procedures are consistent and complimentary\n     across the various programs and disciplines?\n\n     FCC-IG Response:\n     For the Commission\xe2\x80\x99s information technology resources, physical and operational\n     security are integrated and centrally managed under a single program. The Director\n     of the Information Technology Center is designated as the Commission\xe2\x80\x99s CIO. The\n     CIO is responsible for establishing the agency\xe2\x80\x99s computer security program inclusive\n     of network and application security plans, continuity of operations/disaster recovery\n     plans, and incident handling procedures, as well as authorizing systems to operate.\n\n     The FCC\xe2\x80\x99s CSO is responsible for the development, administration, and oversight of\n     the Commission\xe2\x80\x99s IT security programs. Among the CSO\xe2\x80\x99s duties is developing and\n     reviewing general support system and major application security plans, COOP and\n     contingency plans, and incident handling procedures, as well as assisting the FCC\n     bureaus/offices with IT system security program development and administration.\n\n     The CSO is in the process of drafting a Computer Security Program Strategic Plan\n     which will be integrated with the agency\xe2\x80\x99s IT Strategic Plan. This plan will support\n     the minimum essential critical programs, identify the infrastructure protection\n     planning roles and responsibilities, provide for vulnerability assessments of\n     Commission computer-based assets, and establish an emergency management and\n     incident handling program, including continuity of operation and disaster recovery\n     plans.\n\n     Additionally, the CSO has been appointed to sit on the FCC\xe2\x80\x99s Homeland Security\n     Policy Council to provide a link between the agency\xe2\x80\x99s IT security measures and\n     Federal Homeland Security initiatives.\n\n\n\n\n                                                                                         A-4\n\x0c   Oversight of physical security of the Commission has been assigned to the\n   Commission\xe2\x80\x99s Security Officer. The Security Officer is responsible for agency\n   security operations including physical security, employee and contractor badges, lock\n   and key services, site guard services, and a security operations center.\n\n\n4. OMB Question:\n   Has the agency undergone a Project Matrix review? If so, describe the steps the\n   agency has taken as a result of the review. If no, describe how the agency identifies\n   its critical operations and assets, their interdependencies and interrelationships, and\n   how they secure those operations and assets. (Sections 3535(a)(1)(A)-(B), (b)(3)(C)-\n   (D), (b)(6) and 3534(a)(C) of the Security Act.)\n\n   FCC-IG Response:\n   The FCC has not undergone a Project Matrix review. However, during March 2001 a\n   working group was formed to propose an agency definition for \xe2\x80\x9cmajor information\n   system\xe2\x80\x9d and identify the FCC\xe2\x80\x99s major information systems from a comprehensive\n   inventory of FCC information systems.\n\n   In January 2002, the CIO approved the following definition for major information\n   system (MIS):\n\n       \xe2\x80\x9c\xe2\x80\xa6a system \xe2\x80\x93 either automated or manual \xe2\x80\x93 requiring special management\n       attention because it meets at least one of the following attributes:\n\n       \xe2\x80\xa2   It has high annual or system life cost associated with its development,\n           operations, and maintenance;\n       \xe2\x80\xa2   It plays a significant role in the efficient administration of the Commission\xe2\x80\x99s\n           programs, finances, property, or other revenue generating programs;\n       \xe2\x80\xa2   It has potential to cause a high risk or harm to the Commission if its\n           associated data were compromised.\xe2\x80\x9d\n\n   Using the newly approved definition, a new list of \xe2\x80\x9cmajor applications\xe2\x80\x9d or \xe2\x80\x9cmajor\n   information systems\xe2\x80\x9d was approved by the CIO. Major applications added from the\n   2002 FCC IT study will be addressed as part of the FY03 security program.\n\n\n5. OMB Question:\n   How does the agency head ensure that the agency, including all components, has\n   documented procedures for reporting security incidents and sharing information\n   regarding common vulnerabilities? Identify and describe the procedures for external\n   reporting to law enforcement authorities and to the General Services\n   Administration\xe2\x80\x99s Federal Computer Incident Response Center (FedCIRC). Identify\n   actual performance according to the measures and the number of incidents reported\n   in the format provided below. (Section 3534(b)(2)(F)(i)-(iii) of the Security Act.)\n\n\n\n\n                                                                                       A-5\n\x0c   FCC-IG Response:\n\n   a. Total number of agency components including bureaus,                      One (1)\n   field activities.\n   b. Number of agency components with incident handling                     4 Computer\n   and response capability.                                                   Incidents\n                                                                           Response Teams\n                                                                               (CIRT)\n   c. Number of agency components that report to FedCIRC.                         1\n   d. Does the agency and its major components share                             Yes\n   incident information with FedCIRC in a timely manner\n   consistent with FedCIRC and OMB guidance?\n   e. What is the required average time to report to the agency\n                                                                           Within 24 hours\n   and FedCIRC following an incident?\n   f. How does the agency, including the programs within                  By conducting\n   major components, confirm that patches have been tested                scans using\n   and installed in a timely manner?                                      Symantec\xe2\x80\x99s\n                                                                          Enterprise\n                                                                          Security\n                                                                          Management\n                                                                          (ESM)\n                                                                          assessment\n                                                                          software.\n\n                                                                              FY01      FY02\n    g. By agency and individual component, number of                           4         3*\n    incidents (e.g., successful and unsuccessful network\n    penetrations, root or user account compromises, denial of\n    service attacks, website defacing attacks, malicious code and\n    virus, probes and scans, password access) reported by each\n    component.\n    h. By agency and individual component, number of incidents                  4         3*\n    reported externally to FedCIRC or law enforcement.\n       *FCC-IG obtained documentation, which verifies the occurrence and reporting of one (1) of\n        the three (3) incidents that occurred in FY02.\n\n\n\nIII. Responsibilities of Agency Program Officials\n\n1. OMB Question:\n   Have agency program officials: 1) assessed the risk to operations and assets under\n   their control; 2) determined the level of security appropriate to protect such\n   operations and assets; 3) maintained an up-to-date security plan (that is practiced\n   throughout the life cycle) for each system supporting the operations and assets under\n   their control; and 4) tested and evaluated security controls and techniques? (Section\n   3534(a)(2) of the Security Act.)\n\n\n                                                                                                   A-6\n\x0cFCC-IG Response:\n\n    COMPONENT OR BUREAU NAME                              TOTAL NUMBER OF\n                                                                SYSTEMS\n    TOTAL NUMBER OF AGENCY                           17; 2 General Support Systems\n    SYSTEMS                                          (GSS) and 15 Major Applications\n\n\nOMB Question:\nBy each major agency component and aggregated into an agency total, from last\nyear\xe2\x80\x99s report (FY01) and this reporting period (FY02) identify actual performance\naccording to the measures and in the format provided below for the number and\npercentage of total systems.\n\nFCC-IG Response:\n\n                           COMPONENT OR BUREAU NAME\n                                                       FY01       FY01       FY02         FY02\n                                                        #          %           #           %\n   a. Systems that have been assessed for               10        59%         12          71%\n   risk.\n   b. Systems that have been assigned a level            17       100%         17         100%\n   of risk after a risk assessment has been\n   conducted (e.g., high, medium, or basic).\n   c. Systems that have an up-to-date                     6       11%          16         94%\n   security plan.\n   d. Systems that have been authorized for               0        0%           0          0%\n   processing following certification and\n   accreditation.\n   e. Systems that are operating without                 16       94%          17         100%\n   written authorization (including the\n   absence of certification and accreditation).\n   f. Systems that have the costs of their               17       100%         17         100%\n   security controls integrated into the life\n   cycle of the system.\n   g. Systems for which security controls                 8       47%           2         12%\n   have been tested and evaluated in the last\n   year.\n   h. Systems that have a contingency plan.*             17       100%         2*         12%*\n   i. Systems for which contingency plans                 0        0%          0*         0%*\n   that have been tested in past year.*\n      *The FY01 GISRA independent evaluation resulted in a finding that the agency\xe2\x80\x99s existing\n       contingency plans were outdated and recommended that the plans be updated. With the\n       exception of one major application system and one general support system, during the FY02\n       follow-up on prior year finding it was determined that an up to date contingency plan has not\n\n\n                                                                                            A-7\n\x0c           been implemented, and thus no testing had been performed. However, the agency is currently\n           developing Information Technology continuity of operations and disaster recovery plans,\n           which will address resumption and continuity of services for the remaining general support\n           systems and major applications. The plan will also include requirements for conducting\n           periodic tests of the plan.\n\n\n\n2. OMB Question:\n   For operations and assets under their control, have agency program officials used\n   appropriate methods (e.g., audits or inspections) to ensure that contractor provided\n   services (e.g., network or website operations) or services provided by another agency\n   for their program and systems are adequately secure and meet the requirements of\n   the Security Act, OMB policy and NIST guidance, national security policy, and\n   agency policy? Identify actual performance according to the measures and in the\n   format provided below. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of\n   the Security Act.)\n\n   FCC-IG Response:\n   External contractor or other agency services are provided by: Digital Systems Group,\n   Mellon Bank, JPMorgan Chase Bank, Colsen Bank, Quick Hire, the National Finance\n   Center (Department of Agriculture, New Orleans), and the National Business Center\n   (Department of Interior, Denver).\n\n   Internal contractor services are provided by: Nova Technologies for ITC Operations,\n   Vistronix for the Computer Resource Center, and AAC, Inc., Computech, and Zen\n   Technologies for the Wireless Telecommunications Bureau.\n\n                            COMPONENT OR BUREAU NAME\n                                                                              FY01      FY02\n        a. Number of contractor operations or facilities.                      9         10\n        b. Number of contractor operations or facilities reviewed.             3          3\n\n\nIV. Responsibilities of Agency Chief Information Officers\n\n1. OMB Question:\n   Has the agency CIO: 1) adequately maintained an agency-wide security program; 2)\n   ensured the effective implementation of the program and evaluated the performance\n   of major agency components; and 3) ensured the training of agency employees with\n   significant security responsibilities? Identify actual performance according to the\n   measures and in the format provided below. (Section 3534(a)(3)-(5)) and (Section\n   3534(a)(3)(D), (a)(4), (b)(2)(C)(i)-(ii) of the Security Act.)\n\n   FCC-IG Response:\n\n                                                              FY01                   FY02\n        a. Other than GAO or IG audits and reviews,                   10                    12\n\n\n                                                                                             A-8\n\x0chow many agency components and field\nactivities received security reviews?\nb. What percentage of components and field\n                                                        59%                71%\nactivities has had such reviews?\nc. Number of agency employees including                 2,500              2,684\ncontractors.\n d. Number and percentage of agency                  700 (28%);       2,684 (100%);\n employees including contractors that               260 received      287 received\n received security training.                         orientation      orientation\n                                                      training        training\ne. Number of employees with significant\n                                                         43                 59\nsecurity responsibilities.\nf. Number of employees with significant\nsecurity responsibilities that received                  13                 18\nspecialized training.\ng. Briefly describe what types of security        Orientation,        Orientation,\ntraining were available.                          Annual and          Annual and\n                                                  Specialized         Specialized\n                                                  Training,           Training,\n                                                  Seminars,           Seminars,\n                                                  Security Notices,   Security\n                                                  and SANS            Notices, and\n                                                  Institute           SANS\n                                                                      Institute\nh. Total costs for providing training described        $35,500           $48,800\nin (g).\ni. Do agency POA&Ms account for all known         The quarterly POA&Ms submitted\nagency security weaknesses including of all       per FY01 reporting instructions\ncomponents and field activities? If no, why       did not account for all weaknesses.\nnot?                                              The agency has obtained a better\n                                                  understanding of the GISRA\n                                                  reporting requirements.\n                                                  Additionally, the initial POA&M\n                                                  did not include weaknesses that\n                                                  had not been issued in final\n                                                  audit/evaluation reports, although\n                                                  they were communicated as draft\n                                                  findings. When final reports were\n                                                  issued, subsequent POA&Ms were\n                                                  not modified to include these\n                                                  weaknesses. Going forward, all\n                                                  known weaknesses will be\n                                                  reflected in agency POA&Ms.\nj. Has the CIO appointed a senior agency          Yes, the FCC Computer Security\ninformation security official?                    Officer is the senior agency\n                                                  information security official.\n\n\n                                                                             A-9\n\x0c2. OMB Question:\n   For operations and assets under their control (e.g., network operations), has the\n   agency CIO used appropriate methods (e.g., audits or inspections) to ensure that\n   contractor provided services (e.g., network or website operations) or services\n   provided by another agency are adequately secure and meet the requirements of the\n   Security Act, OMB policy and NIST guidance, national security policy, and agency\n   policy? Identify actual performance according to the measures and in the format\n   provided below. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the\n   Security Act.)\n\n    FCC-IG Response:\n\n                                                                                 FY01      FY02\n        a. Number of contractor operations or facilities.                         9         10\n        b. Number of contractor operations or facilities reviewed.                3          3\n\n\n3. OMB Question:\n   Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and\n   investment control process? Were security requirements and costs reported on every\n   FY03 capital asset plan (as well as in the exhibit 53) submitted by the agency to\n   OMB? If no, why not? Identify actual performance according to the measures and in\n   the format provided below. (Sections 3533(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and\n   3534(a)(C) of the Security Act.)\n\n   FCC-IG Response:\n\n                                                                          FY03      FY04\n                                                                          Budget    Budget\n                                                                         Materials Materials\n        a. Number of capital asset plans and justifications                 2         5\n        submitted to OMB?\n        b. Number of capital asset plans and justifications                  0             0\n        submitted to OMB without requisite security\n        information and costs?\n        c. Were security costs reported for all agency systems              yes           yes\n        on the agency\xe2\x80\x99s exhibit 53?\n        d. Have all discrepancies been corrected?                           N/A           N/A\n        e. How many have the CIO/other appropriate official                  2*            5*\n        independently validated prior to submittal to OMB?\n          *FCC-IG will review this information as part of the OIG's IT Capital Investment Audit that\n           began on September 10, 2002.\n\n\n\n\n                                                                                                A-10\n\x0c                     APPENDIX B\n\n\n\n\nFY 2002 Government Information Security Reform Act\n         (GISRA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n            Report on Automated Auction System\n             (Audit Report No. 02-AUD-02-08)\n                   (Previously posted on OIG Website)\n\x0cA-1\n\x0c"